[#14246] - [4.0][RFC] Content Security Policy (CSP)
- Closed
- 5 Feb 2018
- Medium
- Build: master
- # 14246
Shall we cohere to this standard?
Info
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
TL;DR
CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).
Required changes
- This can be enabled either with meta tag or with the headers (apache/nginx etc)
- In the strictest mode inline scripts are NOT allowed!
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Discussion |
| Labels |
Added:
?
|
||
| Labels | |||
| Category | ⇒ | Plugins |
I'm happy to integrate this header in principle. But it's not straightforward. So off the top of my head:
First of all we absolutely must allow inline styles BY DEFAULT - even if core doesn't actually include any (I have no problem with this being a flag we can turn off). But it breaks too many extensions and frankly isn't worth it.
Second of all how are we dealing with the reports. Being able to clearly display reports to the user is obviously important so they can see if either people are trying to build XSS attacks or conversely if they have broken their own site with their rules by accident
Third of all how are we going to allow customisation of this header for people using CDN's etc?
1st inline styles are allowed
2nd makes sense
3rd if this is done in the cms level then customization should be easy to to add
+1 makes sense.. Needs to be configurable though..
One more HUGE advantage with the strict mode is that svg's will be safer with a lot less sniffing...
This should be a plugin, like the P3P plugin, and then people can chose if they want it, and configure it how they want it.
And while you are there, delete the P3P plugin :)
And while you are there, delete the P3P plugin :)
It is removed in 4.0 btw ;)
Are people still interested in this? I was going to write a plugin for this.
Are people still interested in this? I was going to write a plugin for this.
There is already a CSP Plugin proposal: #18301 and there is a plugin for joomla 3 here:
https://github.com/zero-24/plg_system_httpheader
and here a CSP Reporter Script:
https://github.com/zero-24/csp-reporter-php
I think all little improvements like this are only things that let Joomla return to rocks. Joomla needs to add every tools, with an good UI, that can give us full control of the CMS for a battle against SEO obstacles, UX problems in BE and FE, security weakness, etc.
In this case the must is core plugin, where we can control the http header generation ;-)
If anyone is not familiar with CSP and needs to know why its so important please read https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-02-05 10:52:08 |
| Closed_By | ⇒ | brianteeman |
+1 for supporting / respecting CSP, and +1 for the strictest mode, i.e. get rid of all inline script.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/14246.